Top Technical Mitigation Strategies (from the Australian DSD)

June 2, 2015

There are few solid pieces of empirical evidence on what works in security. The Australian Defense Signals Directorate (DSD) Strategies to Mitigate Targeted Cyber Intrusions is one of those. We at Stratigos Security think a lot of what they do. So does just about everybody else who has come into contact with the documentation.

This post examines some of the assumptions, implications, and a conceptual framework to better understand the document. Let’s start with some of the stated background and assumptions.

Investigation based – That the mitigations are a result of analysis of investigations carried out by the DSD, primarily in the government sector.

Adversary focused – That the mitigations are meant to counter adversarial attack.

Targeted attacks – That the adversaries are motivated to target the victim organization, specifically.

High value information – That the adversaries’ objective is to steal intellectual property, national defense secrets, or other highly sensitive documents.

Exhaustive application of mitigations – That mitigations will be applied to 100% of systems, not just a subset.

There are 35 total mitigations listed, almost all of which are specific technical controls. At Stratigos Security we tend to like to bundle technical controls into a higher level framework. This is more digestible for our clients, and allows for a better understanding of why these mitigations work. That’s the key to long-term success in design, implementation, operation, and maintenance of a security program.

Stratigos has aligned most of these mitigations into a few core objectives. In doing so, we seek to harmonize them so each builds on the others. The set works together much better than the sum of each of the individual ones. Our objectives are as follows, as well as examples of mitigations from the DSD document.

Manage access – Access proceeds only through known mechanisms, which validate authorization and identity.

Multi-factor authentication

Enforce a strong passphrase policy

Contain failure – Security failures in one system or network segment do not affect other systems or segments.

Network segregation and segmentation

Anti-Virus

Host and network IPS

Operating System generic exploit mitigation

Eliminate anomalies – Causes of unknown and unexpected events are identified and eliminated, as appropriate.

Logging of successful and failed system events

Logging of successful and failed network events

Capture network traffic

Astute readers will notice that there is a large gap between the objectives and the underlying mitigations. The mitigations are tools, or supporting technologies, that help achieve the objectives, but they do not ensure the objectives will be achieved. This underscores one of the major mistakes most organizations make when they go to implement such a set of mitigations. It’s worth going back to the background and assumptions and identify some of their consequences. Of course this is far from an exhaustive list.

Limited applicability – These mitigations come from investigations of Australian government organizations. Other organizations may have different experiences.

Accidents are excluded – Security risks which result not from adversarial attack, but from accidents are not included. (One of the most common is data breach caused by theft or loss of a mobile device, laptop, or backup tape.)

Mobile devices are specifically excluded – The mitigations apply to workstations and servers, but not to mobile devices.

Governance, process, personnel are poorly covered – The mitigations do not include non-technical approaches, which can significantly affect security, risk, and cost.

Alternate risk mitigation – Risk mitigations available to corporate entities – such as insurance – are not available.

Cost considerations – Corporations typically require some measure of value justification, associating costs and risks to profitability, rather than to national security or human life.

Impacts – Impacts should be analyzed in the context of the specific solution in the proposed environment.

Implementation quality – Poor implementation of the mitigations would result in reduced effectiveness.

Knowledge of the underlying assumptions, their consequences, and unstated assumptions is key to implementing them appropriately. You can only fill in the missing pieces when you recognize they exist, and where. Some of these missing pieces can help you greatly reduce cost, not just add more to the shopping list.

But we’re diverging from the point here. These six objectives are not the only ones that can be derived from the Australian DSD’s guidance. They have worked for our clients and they allow a fairly complete mapping to the 35 mitigations. This superset also naturally aligns to strategic initiatives to develop processes to take full advantage of these tools. Maybe we’ll add more on that in a future post.